08 NCAC 04 .0308             AUTHORIZED ACCESS TO VOTING SYSTEM INFORMATION IN ESCROW

(a)  Subject to the provisions of this Rule, upon written request from a person or entity authorized under G.S. 163-165.7(a)(6) to a vendor of a certified voting system in this state, the vendor shall make available for review and examination any information placed in escrow under G.S. 163-165.9A to an authorized person. The person or entity making the request shall simultaneously provide a copy of the request to the State Board. Any request from the State chairs of a political party recognized under G.S. 163-96 shall be made no later than 90 days before the start of early voting in the state. This Rule does not address or restrict the pre-certification review of a vendor's source code under G.S. 163-165.7(e).

(b)  Authorized Persons. Only authorized persons may review and examine the information placed in escrow by a voting system vendor. For the purpose of this Rule, "authorized person" means a person who:

(1)           Is an agent:

(A)          designated by majority vote in a public meeting by the State Board or a purchasing county's board of commissioners;

(B)          designated in writing by the chair of a political party recognized under G.S. 163-96; or

(C)          designated in writing by the Secretary of Department of Information Technology. No more than three people may be designated by an authorized entity under G.S. 163-165.7(f)(9);

(2)           Has submitted to a criminal history record check, to be facilitated by the State Board, as provided for in G.S. 163-27.2(b) and has not been convicted of a disqualifying offense. Disqualifying offenses shall be all felonies, and any misdemeanors that involve theft, deception, the unlawful concealment or dissemination of information, falsification or destruction of records, or the unlawful access to information or facilities. The requirement to submit to a criminal history record check does not apply to State employees who have already submitted to a criminal history record check for State employment;

(3)           Has submitted to the State Board a résumé detailing the person's experience with voting systems and information technology, to include any training or experience pertaining to computer code development or analysis;

(4)           Has submitted to the State Board a sworn affidavit, under penalty of perjury, attesting that the person:

(A)          has never been found by a court of law, administrative body, or former or current employer to have disclosed without authorization confidential information that the person had access to;

(B)          has never been, either in their private capacity or in any capacity as an agent for another person or entity, subject to any civil or criminal claims alleging misappropriation of a trade secret, violation of confidentiality agreement or nondisclosure agreement, copyright infringement, patent infringement, or unauthorized disclosure of any information protected from disclosure by law, except to the extent any such claims were dismissed with prejudice and not pursuant to a settlement agreement;

(C)          has never had a security clearance issued by a federal agency revoked for any reason other than expiration of the clearance;

(D)          if granted access to review and examine the information placed in escrow, will not disclose or reveal any proprietary information to which the Authorized Person is granted access, pursuant to G.S. 132-1.2, to any person outside of the individuals or entities identified in G.S. 163-165.7(a)(6), testing and certification program staff at the U.S. Election Assistance Commission, election infrastructure security staff for the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security, or a court of law using the court's procedures to file such information under seal;

(E)           will not disclose or reveal any feature, component, or perceived flaw or vulnerability of the information placed in escrow by a voting system vendor, pursuant to G.S. 132-1.7(a2), G.S. 132-1.7(b), and G.S. 132-6.1(c), to any person outside of other persons authorized under this Rule, the State Board, the vendor, testing and certification program staff at the U.S. Election Assistance Commission, election infrastructure security staff for the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security, or a court of law using the court's procedures to file such information under seal;

(F)           will submit copies of any notes taken during the examination of the information in escrow to the State Board;

(G)          acknowledges that, should the person disclose any information placed in escrow that is protected under state or federal law in contravention of Part (b)(4)(D) or (E) of this Rule, the person will be subject to any remedies provided by law which could include monetary damages; and

(H)          will provide the vendor and the State Board with prompt written notice if the person becomes or is likely to be compelled by law to disclose any of the escrow information, will cooperate with the vendor and the State Board to obtain a protective order or other appropriate remedy, and, in the event any escrow information must be disclosed pursuant to legal compulsion, will disclose only the portion of information that the person is legally required to disclose in the written opinion of its counsel; and

(5)           Consents in writing to searches of their person and effects, similar in nature to searches that members of the public submit to when entering the office buildings of the General Assembly, to be conducted upon entry into the secure facility described in Subparagraph (d)(1) of this Rule; and

(6)           Is a citizen of the United States.

(c)  Within 30 days of meeting the definition of an authorized person in Paragraph (b) of this Rule, the Executive Director of the State Board shall issue a written authorization to the person or entity making the request under Paragraph (a) of this Rule to review and examine information placed in escrow by a voting system vendor. The authorization shall be presented by the person or entity to the vendor prior to gaining access to such information under this Rule.

(d)  Conditions of Access. When providing access to information in escrow pursuant to this Rule, the State Board and vendor shall ensure the following conditions are met:

(1)           The information in escrow shall be made available by the vendor on up to three computers provided by the vendor (one for each potentially designated agent under G.S. 163-165.7(f)(9)) that are not connected to any network and are located within a secure facility, as described in Subparagraph (d)(3) of this Rule , designated by the State Board of Elections. Such computers shall be preloaded with software tools necessary for use in viewing, searching, and analyzing the information subject to review, including tools permitting automated source code review. Such computers shall have the following access controls:

(A)          Credentials shall be traceable to individuals. Generic login accounts are not authorized. Sharing of accounts and reuse of credentials is prohibited. Each user must have their own assigned login account.

(B)          Only one administrative account shall be present on the system to allow for the initial provisioning of necessary applications and setup of security controls.

(C)          Where passwords are used to authenticate authorized individuals, login accounts shall use complex passwords. A sufficiently complex password is one that is not based on common dictionary words and includes no fewer than 10 characters, and includes at least one uppercase letter, one lowercase letter, one number, and a special character.

(D)          Screen lock times shall be set to no longer than 10 minutes.

(E)           All computers shall be locked or logged out from whenever they are not being attended and used.

(F)           The entire hard drive on any computer must have full disk encryption. Where possible, the minimum encryption level shall be AES-256.

(G)          After the information subject to review and software tools for viewing are loaded on the computers, all ports shall be sealed with tamper-evident seals.

(H)          After the ports are sealed, no input/output or recording devices may be connected to the computers. The State Board shall provide for the secure storage of any equipment used for the duration of the review.

(2)           The computers shall be air-gapped and shall not be connected to a network, and any feature allowing connection to a network shall be disabled. Prohibited network connections include the Internet, intranet, fax, telephone line, networks established via modem, or any other wired or wireless connection.

(3)           The secure facility designated by the State Board under Subparagraph (1) of this Paragraph is the specific location where the computing equipment will be stored and the review conducted, and may be a secured portion of a building. All conduct within the facility shall meet the following conditions:

(A)          For the entire review period, the facility shall be secured from access by any person not designated under Subparagraph (b)(1), Part (d)(3)(G), and Subparagraph (d)(7) of this Rule.

(B)          Only individuals authorized under Subparagraph (b)(1), Part (d)(3)(G), and Subparagraph (d)(7) of this Rule may enter the facility. Such individuals shall present government-issued photo identification upon initial entry, and may be asked to show identification multiple times throughout the review period.

(C)          Each time an individual accesses the facility, the State Board or its designee shall record the name of the individual, the time of their entry, the time of their departure, and a description of any materials brought in or out of the facility.

(D)          All equipment used in the review, as specified in Subparagraph (d)(1) of this Rule, must remain in the facility during the review period.

(E)           No authorized person pursuant to this Rule shall possess any removable media device, cell phone, computer, tablet, camera, wearable, or other outside electronic device within the facility where the person is accessing information in escrow.

(F)           No authorized person shall attempt to connect the computers used in the review to any network.

(G)          State personnel who are designated by the Executive Director of the State Board of Elections and who also satisfy the conditions set forth in Subparagraphs (b)(2) through (b)(5) shall have access to the facility where the review is being conducted at all times, to monitor the process and ensure that all requirements of this Rule are complied with.

(H)          Persons entering the facility shall submit to inspection, as provided for in Subparagraph (b)(5), and shall be denied entry if they possess any unauthorized devices.

(I)            State personnel designated pursuant to this subsection shall inspect the computers used in the review before and after the review for compliance with Subparagraphs (d)(1) and (d)(2).

(4)           Authorized persons are permitted to perform manual source code review, and use code analysis tools as provided in Subparagraph (1) of this Paragraph, to analyze the source code. This source code review shall be performed using "read only" access and any authorized person shall use only the analysis tools preloaded on the computers, as described in Subparagraph (1) of this Paragraph, to examine the information placed in escrow.

(5)           Any review performed pursuant to this Rule shall occur during the State Board's regular business hours and shall last no longer than 10 business days. Such review shall not occur during the period from the start of early voting through the conclusion of statewide canvassing of the vote.

(6)           Authorized persons and the vendor are each responsible for bearing their own costs in conducting the review pursuant to G.S. 163-165.7(a)(6).

(7)           Up to three representatives of the vendor may be designated in writing to the State Board by a corporate executive of the vendor to supervise the review at all times. Such representatives shall not interfere with the review and shall be afforded an opportunity to inspect the facility for compliance with these conditions prior to the review commencing. State Board staff designated under Subparagraph (3) of this Paragraph shall monitor the review, without obstructing the review process.

(e)  Dispute Resolution. Any dispute that arises between an authorized person and a vendor concerning the execution of review pursuant to this Rule may be presented to the State Board of Elections in the form of a petition seeking relief. The party seeking such relief shall serve their petition on the opposing party, and the opposing party shall have 14 days to respond. The State Board shall make a decision on the petition based on the written submissions, or it may schedule a hearing to consider the petition.

 

History Note:        Authority G.S. 132-1.2; 132-1.7; 132-6.1; 163-22; 163-27.2; 163-165.7; 163-165.9A; 163-166.7; 163-275; 42 U.S.C. 5195c;

Eff. February 1, 2024.